As a user, I want to avoid mixed content warnings so that I can view the form in the Wizard.
Loading the Form Preview in the Onboarding Wizard throws a mixed content warning and blocks the iframe.
The Form Preview route URL should match the http/https configuration used by the Onboarding Wizard.

Looks like home_url() isn't considering is_ssl().
I would expect that is_ssl() would be taken into consideration:
If $scheme is ‘http’ or ‘https’, is_ssl() is overridden.
... but that doesn't seem to be the case.

A plugin like Really Simple SSL resolves the issue, which I think I would be using in production along side a certificate.
Because the Form iframe isn't in the admin, WordPress isn't honoring is_ssl(), rather it is defaulting to the value stored in the home option.
$url = get_option( 'home' );
// ...
if ( is_ssl() && ! is_admin() ) {
$scheme = 'https';
} else {
$scheme = parse_url( $url, PHP_URL_SCHEME );
}
The change that surfaced this issue is that I started using WP-CLI to automate refreshing my WordPress installation, in which I wasn't setting a protocol for ---url. Previously, I was using the browser based installer, which was pulling in the https from the URL.
@kjohnson This doesn't seem to be as serious as we first thought. Moving this out of the release and into cool-down.
Closing as this was resolved and merged in #5189.